Authentication and Data Integrity Authentication with Symmetric - - PowerPoint PPT Presentation

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

1/27

Authentication and Data Integrity

Cryptography

School of Engineering and Technology CQUniversity Australia

Prepared by Steven Gordon on 15 Apr 2020, auth.tex, r1850

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

2/27

Contents

Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

3/27

Attacks on Information Transfer

• 1. Disclosure: encryption
• 2. Traffic analysis: encryption
• 3. Masquerade: message authentication
• 4. Content modification: message authentication
• 5. Sequence modification: message authentication
• 6. Timing modification: message authentication
• 7. Source repudiation: digital signatures
• 8. Destination repudiation: digital signatures

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

4/27

Aims of Authentication

◮ Receiver wants to verify:

• 1. Contents of the message have not been modified (data

authentication)

• 2. Source of message is who they claim to be (source

authentication)

◮ Different approaches available:

◮ Symmetric Key Encryption ◮ Hash Functions ◮ Message Authentication Codes (MACs) ◮ Public Key Encryption (i.e. Digital Signatures)

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

5/27

Contents

Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

6/27

Symmetric Encryption for Authentication

Credit: Figure 12.1(a) in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

7/27

Recognising Correct Plaintext in English (question)

B receives ciphertext (supposedly from A, using shared secret key K): DPNFCTEJLYONCJAEZRCLASJTDQFY B decrypts with key K to obtain plaintext: SECURITYANDCRYPTOGRAPHYISFUN Was the plaintext encrypted with key K (and hence sent by A)? Is the ciphertext received the same as the ciphertext sent by A?

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

8/27

Recognising Correct Plaintext in English (question)

B receives ciphertext (supposedly from A, using shared secret key K): QEFPFPQEBTOLKDJBPPXDBPLOOVX B decrypts with key K to obtain plaintext: FTUEUEFTQIDAZSYQEEMSQEADDKM Was the plaintext encrypted with key K (and hence sent by A)? Is the ciphertext received the same as the ciphertext sent by A?

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

9/27

Recognising Correct Plaintext in Binary (question)

B receives ciphertext (supposedly from A, using shared secret key K): 0110100110101101010110111000010 B decrypts with key K to obtain plaintext: 0101110100001101001010100101110 Was the plaintext encrypted with key K (and hence sent by A)? Is the ciphertext received the same as the ciphertext sent by A?

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

10/27

Recognising Correct Plaintext

◮ Many forms of information as plaintext can be recognised at correct ◮ However not all, and often not automatically ◮ Authentication should be possible without decryptor having to know context of the information being transferred ◮ Authentication purely via symmetric key encryption is insufficient ◮ Solutions:

◮ Add structure to information, such as error detecting code ◮ Use other forms of authentication, e.g. MAC

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

11/27

Contents

Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

12/27

Authentication by Hash and then Encrypt

Credit: Figure in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

13/27

Authentication by Encrypting a Hash

Credit: Figure in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

14/27

Attack of Authentication by Encrypting a Hash (exercise)

If a hash function did not have the Second Preimage Resistant property, then demonstrate an attack on the scheme in The figure on slide 13.

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

15/27

Authentication with Hash of a Shared Secret

Credit: Figure in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

16/27

Attack of Authentication with Hash of Shared Secret (exercise)

If a hash function did not have the Preimage Resistant property, then demonstrate an attack on the scheme in The figure on slide 15.

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

17/27

Contents

Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

18/27

Authentication with only MACs

Credit: Figure in Stallings, Cryptography and Network Security, 5th Ed., Pearson 2011

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

19/27

Authentication using Encryption and a MAC

◮ Common to what both confidentiality and authentication (data integrity) ◮ MACs have advantage over hashes in that if encryption is defeated, then MAC still provides integrity ◮ But two keys must be managed: encryption key and MAC key ◮ Recommended algorithms used for encryption and MAC are independent ◮ Three general approaches (following definitions), referred to as authenticated encryption

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

20/27

Encrypt-then-MAC (definition)

The sender encrypts the message M with symmetric key encryption, then applies a MAC function on the ciphertext. The ciphertext and the tag are sent, as follows: E(K1, M)||MAC(K2, E(K1, M)) Two independent keys, K1 and K2, are used.

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

21/27

MAC-then-Encrypt (definition)

The sender applies a MAC function on the plaintext, appends the result to the plaintext, and then encrypt both. The ciphertext is sent, as follows: E(K1, M||MAC(K2, M))

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

22/27

Encrypt-and-MAC (definition)

The sender encrypts the plaintext, as well ass applying a MAC function on the plaintext, then combines the two

• results. The ciphertext joined with tag are sent, as follows:

E(K1, M)||MAC(K2, M)

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

23/27

Recommended Approach for Authenticated Encryption

◮ There are small but important tradeoffs between encrypt-then-MAC, MAC-then-encrypt and encrypt-and-MAC ◮ Potential attacks on each, especially if a mistake in applying them ◮ Generally, encrypt-then-MAC is recommended, but are cases against it ◮ Some discussion of issues:

◮ Chapter 9.6.5 of Handbook of Cryptography ◮ Moxie Marlinspike ◮ StackExchange

◮ Other authenticated encryption approaches incorporate authenticate into encryption algorithm

◮ AES-GCM, AES-CCM, ChaCha20 and Poly1305

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

24/27

Contents

Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

25/27

Digital Signatures

◮ Authentication has two aims:

◮ Authenticate data: ensure data is not modified ◮ Authenticate users: ensure data came from correct user

◮ Symmetric key crypto, MAC functions are used for authentication

◮ But cannot prove which user created the data since two users have the same key

◮ Public key crypto for authentication

◮ Can prove that data came from only 1 possible user, since only 1 user has the private key

◮ Digital signature

◮ Encrypt hash of message using private key of signer

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

26/27

Digital Signatures in Practice

◮ User A has own key pair: (PUA, PRA) ◮ Signing

◮ User A signs a message by encrypting hash of message with own private key: S = E(PRA, H(M)) ◮ User attaches signature S to message M and sends to user B

◮ Verification

◮ User B verifies a message by decrypting signature with signer’s public key: h = D(PUA, S) ◮ User B then compares hash of received message, H(M), with decrypted h; if identical, signature is verified

Cryptography Authentication and Data Integrity Aims of Authentication Authentication with Symmetric Key Encryption Authentication with Hash Functions Authentication with MACs Digital Signatures

27/27

Digital Signature Example